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Abstract 



Recently a great deal of attention has focused on quantum computation following 
a sequence of results f|, [Ï6|, |Ï5|] suggesting that quantum computers are more powerful 
than classical probabilistic computers. Following Shor's result that factoring and the 
extraction of discrete logarithms are both solvable in quantum polynomial time, it is 
natural to ask whether all of NP can be efficiently solved in quantum polynomial time. 
In this paper, we address this question by proving that relative to an oracle chosen 
uniformly at random, with probability 1, the class NP cannot be solved on a quantum 
Turing machine in time o(2 n / 2 ). We also show that relative to a permutation oracle 
chosen uniformly at random, with probability 1, the class NP n co NP cannot be 
solved on a quantum Turing machine in time o(2 n / 3 ). The former bound is tight since 
recent work of Grover (TJ] shows how to accept the class NP relative to any oracle on 
a quantum computer in time 0(2 n / 2 ). 



* IBM T. J. Watson Research Laboratory, Yorktown Heights, New York, NY 10598, USA. 
email: bennetc@watson.ibm.com. 

1 1 Microsoft Way, Redmond, WA 98052-6399, USA. email: ethanb@microsoft.com. 

* Supported in part by Canada's NSERC and Québec's FCAR. 

§ Département IRO, Université de Montréal, C.P. 6128, succursale centre- ville, 
Montreal (Québec), Canadà H3C 3J7. email: brassard@iro.umontreal.ca. 
1 Supported by NSF Grant No. CCR-9310214. 

" Computer Science Division, University of Califòrnia, Berkeley, CA 94720, USA. 
email: vazirani@cs.berkeley.edu. 



1 Introduction 



Quantum computational complexity is an exciting new area that touches upon the foun- 
dations of both theoretical computer science and quantum physics. In the early eighties, 
Feynman (Ï2| pointed out that straightforward simulations of quantum mechanics on a clas- 
sical computer appear to require a simulation overhead that is exponential in the size of the 
system and the simulated time; he asked whether this is inherent, and whether it is possible 
to design a universal quantum computer. Deutsch || defined a general model of quantum 
computation: the quantum Turing machine. Bernstein and Vazirani ||J] proved that there is 
an efficient universal quantum Turing machine. Yao [17] extended this by proving that quan- 



tum circuits (introduced by Deutsch |Ï0|) are polynomially equivalent to quantum Turing 
machines. 

The computational power of quantum Turing machines (QTMs) has been explored by 
several researchers. Early work by Deutsch and Jozsa |TTJ showed how to exploit some 
inherently quantum mechanical features of QTMs. Their results, in conjunction with subse- 
quent results by Berthiaume and Brassard || ||, established the existence of oracles under 
which there are computational problems that QTMs can solve in polynomial time with cer- 
tainty, whereas if we require a classical probabilistic Turing machine to produce the correct 
answer with certainty, then it must take exponential time on some inputs. On the other 
hand, these computational problems are in BPPQ relat ive to the same oracle, and there- 
fore efficiently solvable in the classical sense. The quantum analogue of the class BPP is 
the class BQPQ [|]. Bernstein and Vazirani |§ proved that BPP Ç BQP Ç PSPACE, 
thus establishing that it will not be possible to conclusively prové that BQP ^ BPP 
without resolving the major open problem P = PSPACE. They also gave the first evidence 
that BQP ^ BPP (polynomial-time quantum Turing machines are more powerful than 
polynomial-time probabilistic Turing machines), by proving the existence of an oracle rela- 
tive to which there are problems in BQP that cannot be solved with small error probability 
by probabilistic machines restricted to running in 77°( logn ) steps. Since BPP is regarded as 
the class of all "efficiently computable" languages (computational problems), this provided 
evidence that quantum computers are inherently more powerful than classical computers in 
a model-independent way Simón [|nj strengthened this evidence by proving the existence of 
an oracle relative to which BQP cannot even be simulated by probabilistic machines allowed 
to run for 2 n l 2 steps. In addition, Simon's paper also introduced an important new technique 

1 BPP is the class of decision problems (languages) that can be solved in polynomial time by probabilistic 
Turing machines with error probability bounded by 1/3 (for all inputs). Using Standard boosting techniques, 
the error probability can then be made exponentially small in k by iterating the algorithm k times and 
returning the majority answer. 

2 BQP is the class of decision problems (languages) that can be solved in polynomial time by quantum 
Turing machines with error probability bounded by 1/3 (for all inputs) — see Q for a formal definition. 
We prové in Section ^ of this paper that, as is the case with BPP, the error probability of BQP machines 
can be made exponentially small. 
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which was one of the ingredients in a remarkable result proved subsequently by Shor ||15|| . 
Shor gave polynomial-time quantum algorithms for the factoring and discrete logarithm 
problems. These two problems have been well-studied, and their presumed intractability 
forms the basis of much of modern cryptography. In view of these results, it is natural 
to ask whether NP Ç BQP; i.e. can quantum computers solve NP-complete problems in 
polynomial time?[] 

In this paper, we address this question by proving that relative to an oracle chosen 
uniformly at random ||, with probability 1, the class NP cannot be solved on a quantum 
Turing machine in time o(2 n / 2 ). We also show that relative to a permutation oracle chosen 
uniformly at random, with probability 1, the class NP fi co— NP cannot be solved on a 
quantum Turing machine in time o(2 n / 3 ). The former bound is tight since recent work of 
Grover [|13j shows how to accept the class NP relative to any oracle on a quantum computer 
in time 0(2 n / 2 ). See for a detailed analysis of Grover's algorithm. 

What is the relevance of these oracle results? We should emphasize that they do not 
rule out the possibility that NP Ç BQP. What these results do establish is that there is 
no black-box approach to solving NP-complete problems by using some uniquely quantum- 
mechanical features of QTMs. That this was a real possibility is clear from Grover's [13| 
result, which gives a black-box approach to solving NP-complete problems in square-root 
as much time as is required classically. 

One way to think of an oracle is as a special subroutine call whose invocation only costs 
unit time. In the context of QTMs, subroutine calls pose a special problem that has no 
classical counterpart. The problem is that the subroutine must not leave around any bits 
beyond its computed answer, because otherwise computational paths with different residual 
information do not interfere. This is easily achieved for deterministic subroutines since any 
classical deterministic computation can be carried out reversibly so that only the input and 
the answer remain. However, this leaves open the more general question of whether a BQP 
machine can be used as a subroutine. Our final result in this paper is to show how any 
BQP machine can be modified into a tidy BQP machine whose final superposition consists 
almost entirely of a tape configuration containing just the input and the single bit answer. 
Since these tidy BQP machines can be safely used as subroutines, this allows us to show 
that BQP B( ^ P = BQP. The result also justifies the definition of oracle quantum machines 
that we now give. 



3 Actually it is not cvcn clear whether BQP Ç BPP ; i.e. it is unclear whether nondeterminism 
together with randomness is sufficient to simulate quantum Turing machines. In fact, Bcrnstcin and Vazi- 
rani's result is stronger than stated above. They actually proved that relative to an oracle, the recursive 
Fourier sampling problem can be solved in BQP, but cannot even be solved by Arthur-Merlin games Q 
with a time bound of n ' logTi ' (thus giving evidence that nondeterminism on top of probabilism does not 
help). They conjecture that the recursive Fourier sampling cannot even be solved in the unrelativized 
polynomial-time hierarchy. 
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2 Oracle Quantum Turing Machines 



In this section and the next, we shall assume without loss of generality that the Turing 
machine alphabet (for each track or tape) is {0, 1, where denotes the blank symbol. 
Initially all tapes are blank except that the input tape contains the actual input surrounded 
by blanks. We shall use £ to denote {0, 1}. 

In the classical setting, an oracle may be described informally as a device for evaluating 
some Boolean function A : E* — > S, on arbitrary arguments, at unit cost per evaluation. 
This allows to formulate qüestions such as "if A were efficiently computable by a Turing 
machine, which other functions (or languages) could be efficiently computed by Turing ma- 
chines?". In the quantum setting, an equivalent question can be asked, provided we define 
oracle quantum Turing machines appropriately — which we do in this section — and provided 
bounded-error quantum Turing machines can be composed — which we show in Section [| of 
this paper. 

An oracle QTM has a special query tape (or track), all of whose celis are blank except for 
a single block of non-blank celis. In a well-formed oracle QTM, the Turing machine rules may 
allow this region to grow and shrink, but prevent it from fragmenting into non-contiguous 
blocks. f\ Oracle QTMs have two distinguished infernal states: a pre-query state q q and a 
post-query state q a . A query is executed whenever the machine enters the pre-query state. 
If the query string is empty, a no-op occurs, and the machine passes directly to the post- 
query state with no change. If the query string is nonempty, it can be written in the form 
xob where x G £*, b G S, and "o" denotes concatenation. In that case, the result of a call on 
oracle A is that infernal control passes to the post-query state while the contents of the query 
tape changes from \x o b) to \x o (6 © A(x))), where "©" denotes the exclusive-or (addition 
modulo 2). Except for the query tape and infernal control, other parts of the oracle QTM 
do not change during the query. If the target bit |6) is supplied in initial state |0), then its 
final state will be |A(íc)), just as in a classical oracle machine. Conversely, if the target bit is 
already in state |A(íe)), calling the oracle will reset it to |0). This ability to "uncompute" will 
often prové essential to allow proper interference among computation paths to take place. 
Using this fact, it is also easy to see that the above definition of oracle Turing machines yields 
unitary evolutions if we restrict ourselves to machines that are well-formed in other respects, 
in particular evolving unitarily as they enter the pre-query state and leave the post-query 
state. 

The power of quantum computers comes from their ability to follow a coherent superpo- 
sition of computation paths. Similarly oracle quantum machines derive great power from the 
ability to perform superpositions of queries. For example, oracle A might be called when the 
query tape is in state |^o0) = J2x a x\x°ty, where a x are complex coefficients, corresponding 
to an arbitrary superposition of queries with a constant |0) in the target bit. In this case, 

4 This restriction can be made without loss of generality and it can be verified syntactically by allowing 
only machines that make sure they do not break the rule before writing on the query tape. 
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after the query, the query string will be left in the entangled state Y^x a x\ x ° A(x)). It is 
also useful to be able to put the target bit b into a superposition. For example, the con- 
ditional phase inversion used in Grover's algorithm can be achieved by performing queries 
with the target bit b in the nonclassical superposition (3 = (|0) — \ l))/y/2. It can readily be 
verified that an oracle call with the query tape in state xo (3 leaves the entire machine state, 
including the query tape, unchanged if A(x) = 0, and leaves the entire state unchanged while 
introducing a phase factor — 1 if A(x) = 1. 

It is often convenient to think of a Boolean oracle as defming a length-preserving function 
on E*. This is easily accomplished by interpreting the oracle answer on the pair (x,i) as 
the i th bit of the function value. The pair (x, i) is encoded as a binary string using any 
Standard pairing function. A permutatíon oracle is an oracle which, when interpreted as a 
length-preserving function, acts for each n > as a permutation on S n . Henceforth, when no 
confusion may arise, we shall use A(x) to denote the length-preserving function associated 
with oracle A rather than the Boolean function that gives rise to it. 

Let us define BQTime(T(n)) yl as the sets of languages accepted with probability at 
least 2/3 by some oracle QTM M A whose running time is bounded by T(n). This bound 
on the running time applies to each individual input, not just on the average. Notice that 
whether or not M A is a BQP-machine might depend upon the oracle A — thus M A might 
be a BQP-machine while M B might not be one. 

Note: The above definition of a quantum oracle for an arbitrary Boolean function will suffice 
for the purposes of the present paper, but the ability of quantum computers to perform 
general unitary transformations suggests a broader definition, which may be useful in other 
contexts. For example, oracles that perform more general, non-Boolean unitary operations 
have been considered in computational learning theory || and for hiding information against 
classical queries [Q. 

Most broadly, a quantum oracle may be defined as a device that, when called, applies 
a fixed unitary transformation U to the current contents \z) of the query tape, replacing it 
by U\z). Such an oracle U must be defined on a countably infinite-dimensional Hilbert space, 
such as that spanned by the binary basis vectors |e), |0), |1), |00), 1 01) , |10), |11), 1 000) , . . . , 
where e denotes the empty string. Clearly, the use of such general unitary oracles still yields 
unitary evolution for well-formed oracle Turing machines. Naturally, these oracles can map 
inputs onto superpositions of outputs, and vice versa, and they need not even be length- 
preserving. However, in order to obey the dictum that a single machine cycle ought not to 
make infinite changes in the tape, one might require that U\z) have amplitude zero on all but 
finitely many basis vectors. (One could even insist on a uniform and effective version of the 
above restriction.) Another natural restriction one may wish to impose upon U is that it be 
an involution, U 2 = I, so that the effect of an oracle call can be undone by a further call on 
the same oracle. Again this may be crucial to allow proper interference to take place. Note 
that the special case of unitary transformation considered in this paper, which corresponds 
to evaluating a classical Boolean function, is an involution. 
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3 Difficulty of Simulating Nondeterminism on QTMs 



The computational power of QTMs lies in their ability to maintain and compute with expo- 
nentially large superpositions. It is tempting to try to use this "exponential parallelism" 
to simulate non-determinism. However, there are inherent constraints on the scope of this 
parallelism, which are imposed by the formalism of quantum mechanics.Q In this section, 
we explore some of these constraints. 

To see why quantum interference can speed up NP problems quadratically but not 
exponentially, consider the problem of distinguishing the empty oracle (\/ x A(x) = 0) from 
an oracle containing a single random unknown string y of known length n (i.e. A(y) = 1, but 
\/ x ^ y A(x) =0). We require that the computer never answer yes on an empty oracle, and seek 
to maximize its "success probability" of answering yes on a nonempty oracle. A classical 
computer can do no better than to query distinct n-bit strings at random, giving a success 
probability l/2 íl after one query and k/2 n after k queries. How can a quantum computer do 
better, while respecting the rule that its overall evolution be unitary, and, in a computation 
with a nonempty oracle, all computation paths querying empty locations evolve exactly as 
they would for an empty oracle? A direct quantum analog of the classical algorithm would 
start in an equally-weighted superposition of 2™ computation paths, query a different string 
on each path, and finally collapse the superposition by asking whether the query had found 
the nonempty location. This yields a success probability 1/2", the same as the classical 
computer. However, this is not the best way to exploit quantum parallelism. Our goal 
should be to maximize the separation between the state vector after k interactions with 
an empty oracle, and the state vector \ipk{y)) after k interactions with an oracle nonempty 
at an unknown location y. Starting with a uniform superposition 

it is easily seen that the separation after one query is maximized by a unitary evolution to 

\Mv)) = ÍEHM^) = l^o) - -L\v). 

V Z n x yZ n 

This is a phase inversion of the term corresponding to the nonempty location. By testing 
whether the post-query state agrees with \ip ) we obtain a success probability 

i - \(HMy))\ 2 « 4/2™ 

5 There is a superficial similarity between this exponential parallelism in quantum computation and 
the fact that probabilistic computations yield probability distributions over exponentially large domains. 
The difference is that in the probabilistic case, the computational path is chosen by making a sequence of 
random choices — one for each step. In the quantum-mechanical case, it is possible for several computational 
paths to interfere destructively, and therefore it is necessary to keep track of the entire superposition at each 
step to accurately simulate the system. 
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approximately four times better than the classical value. Thus, if we are allowed only one 
query, quantum parallelism gives a modest improvement, but is still overwhelmingly likely 
to fail because the state vector after interaction with a nonempty oracle is almost the same 
as after interaction with an empty oracle. The only way of producing a large difference after 
one query would be to concentrate much of the initial superposition in the y term before the 
query, which cannot be done because that location is unknown. 

Having achieved the maximum separation after one query, how best can that separation 
be increased by subsequent queries? Various strategies can be imagined, but a good one 
(called "inversion about the average" by Grover ÏÏT3"| ) is to perform an oracle- independent 
unitary transformation so as to change the phase difference into an amplitude difference, 
leaving the y term with the same sign as all the other terms but a magnitude approximately 
threefold larger. Subsequent phase- inverting interactions with the oracle, alternating with 
oracle-independent phase-to-amplitude conversions, cause the distance between \ip ) and 
\ipk(y)) to grow linearly with k, approximately as 2k/y/2P when k < y/N /2. This results in 
a quadratic growth of the success probability, approximately as 4k 2 /2 n for small k. The proof 
of Theorem 3.5 shows that this approach is essentially optimal: no quantum algorithm can 
gain more than this quadratic factor in success probability compared to classical algorithms, 
when attempting to answer NP-type qüestions formulated relative to a random oracle. 

3.1 Lower Bounds on Quantum Search 

We will sometimes find it convenient to measure the accuracy of a simulation by calculating 
the Euclidean distance [] between the target and simulation superpositions. The following 
theorem from Q shows that the simulation accuracy is at most 4 times worse than this 
Euclidean distance. 

Theorem 3.1 Iftwo unit-length superpositions are within Euclidean distance e then observ- 
ing the two superpositions gives samples from distributions which are within total variation 
distance\\ at most Ae. 

Definition 3.2 Let be the superposition of M A on input x at time i. We denote by 
q y {\4>i)) the sum of squared magnitudes in of configurations of M which are querying the 
oracle on string y. We refer to q y (\4>i)) as the query magnitude of y in \(j>i). 

Theorem 3.3 Let be the superposition of M A on input x at time i. Let e > 0. 

2 

Let F Ç [0, T— 1] x X* be a set of tíme-strings paírs such that J2(í, v )^f Q.y\\4>i)) — Y ú 

6 The Euclidean distance between \4>) = J2 X a A x ) an d IV') = J2 X @\ x ) IS defined as Ç%2 X \a x — I3 X \ 2 ) X / 2 . 
7 The total variation distance between two distributions V and V is J2 X I^K 2 -) — ^'( x )\- 
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Now suppose the answer to each query (i, y) G F is modífied to some arbítrary fixed a^y 
(these answers need not be consistent with an oracle). Let be the time i superposition of 
M on input x with oracle A modified as stated above. Then \ \4>t) — \<Pt)\ — £ - 

Proof. Let U be the unitary time evolution operator of M A . Let Ai denote an oracle such 
that if (i, y) G F then A^y) = a^ y and if (i, y) £ F then Ai(y) = A(y). Let U be the unitary 
time evolution operator of M Ai . Let be the superposition of M A on input x at time i. 
We define \Ei) to be the error in the i th step caused by replacing the oracle A with A4. Then 

\E l ) = U l \<f )l }-U\ ( j )l ). 

So we have 

T-l 

\<h) = U\<h-i) = U T \<h-x) ~ \E T -i) = ■ ■ ■ = U T ■ ■ ■ UM - £ C/t-i • • • U\E t ). 

Since all of the U are unitary, \Ut-i ■ ■ • Uí\Eí)\ = \\Ei)\. 

The sum of squared magnitudes of all of the Ei is equal to Y^(i, y )eF %{\4>i)) anc l therefore 
at most L·. In the worst case, the Ut-i • • - U^E^s could interfere constructively; however, 
the squared magnitude of their sum is at most T times the sum of their squared magnitudes, 
i.e. e 2 . Therefore \ \(p T ) ~ Wt) \ < e - u 



Corollary 3.4 Let A be an oracle over alphabet E. For y G S* ; let A y be any oracle such 
that Vx 7^ y A y (x) = A{x). Let be the time i superposition of M A on input x and \4>i)^ 
be the time i superposition of M v on input x. Then for every e > 0, there is a set S of 
cardinality at most 2 -Ç- such that \/y £ S \<j)j) — \4>t) 



< e. 



Proof. Since each \<f> t ) has unit length, Y,ï=o H y Qy{\<f>i)) ^ T. Let S be the set of strings y 
such that Yh=o Qy(\<i>i)) > Clearly card(S') < ^Ç. 



If y ^ S then 2 i=0 Qyd&i)) < §f Therefore by Theorem [O] \/y ^ S \4>i) — \4>i) 



< e. 
□ 



Theorem 3.5 For any T{n) which is o(2 n//2 ), relative to a random oracle, with probability 1, 
BQTime(T(n)) does not contain NP. 

Proof. Recali from Section ^| that an oracle can be thought of as a length-preserving 
function: this is what we mean below by A(x). Let Ca = {y '■ 3x A(x) = y}. Clearly, this 
language is contained in NP A . Let T{n) = o(2 n//2 ). We show that for any bounded-error 



8 



oracle QTM M A running in time at most T{n), with probability 1, M A does not accept 
the language Ca- The probability is taken over the choice of a random length-preserving 
oracle A. Then, since there are a countable number of QTMs and the intersection of a 
countable number of probability 1 events still has probability 1, we conclude that with 
probability 1, no bounded error oracle QTM accepts Ca in time bounded by T(n). 

Since T(n) = o(2 n / 2 ), we can pick n large enough so that T(n) < We will show that 
the probability that M gives the wrong answer on input l n is at least 1/8 for every way of 
fixing the oracle answers on inputs of length not equal to n. The probability is taken over 
the random choices of the oracle for inputs of length n. 

Let us fix an arbitrary length-preserving function from strings of lengths other than n over 
alphabet S. Let C denote the set of oracles consistent with this arbitrary function. Let A 
be the set of oracles in C such that 1™ has no inverse (does not belong to Ca)- If the oracle 
answers to length n strings are chosen uniformly at random, then the probability that the 
oracle is in A is at least 1/4. This is because the probability that l n has no inverse is ( 2 -^) 2 ™ 
which is at least 1/4 (for n sufficiently large). Let B be the set of oracles in C such that 
l n has a unique inverse. As above, the probability that a randomly chosen oracle is in B is 
(^r^) 2 ™^ 1 which is at least 1/e. 

Given an oracle A in A, we can modify its answer on any single input, say y, to 1" and 
therefore get an oracle A y in B. We will show that for most choices of y, the acceptance 
probability of M A on input l n is almost equal to the acceptance probability of M Ay on 
input l n . On the other hand, M A must reject l n and M Ay must accept 1™. Therefore M 
cannot accept both Ca and Ca v - By working through the details more carefully, it is easy to 
show that M fails on input l n with probability at least 1/8 when the oracle is a uniformly 
random function on strings of length n, and is an arbitrary function on all other strings. 

Let A y be the oracle such that A y (y) = 1™ and Wz ^ y A y (z) = A(z). By Corollary |3]4| 
there is a set S of at most 338T 2 (n) strings such that the difference between the i th superpo- 
sition of M Ay on input l n and M A on input l n has norm at most 1/13. Using Theorem |3.1| 
we can conclude that the difference between the acceptance probabilities of M Ay on input l n 
and M A on input l n is at most 1/13x4 < 1/3. Since M Ay should accept 1™ with probability 
at least 2/3 and M A should reject l n with probability at least 2/3, we can conclude that M 
fails to accept either Ca or Ca v - 

So, each oracle A G A for which M correctly decides whether l n G Ca can, by changing 
a single answer of A to l n , be mapped to at least (2 n — card(S')) > 2 n_1 different oracles 
Af G B for which M fails to correctly decide whether l n G Ca s - Moreover, any particular 
Af G B is the image under this mapping of at most 2 n — 1 oracles A G A, since where it 
now answers l n , it must have given one of the 2 n — 1 other possible answers. Therefore, the 
number of oracles in B for which M fails must be at least 1/2 the number of oracles in A 
for which M succeeds. So, calling a the number of oracles in A for which M fails, M must 
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fail for at least a + 1/2 (card (.4.) — a) oracles. Therefore M fails to correctly decide whether 
l n G C A with probability at least (1/2) P[A] > 1/8. 

It is easy to conclude that M decides membership in Ca with probability for a uniformly 
chosen oracle A. □ 



Note: Theorem [O] and its Corollary |3.4| isolate the constraints on "quantum parallelism" 
imposed by unitary evolution. The rest of the proof of the above theorem is similar in spirit 
to Standard techniques used to separate BPP from NP relative to a random oracle [[|. 
For example, these techniques can be used to show that, relative to a random oracle A, 
no classical probabilistic machine can recognize Ca in time o(2 n ). However, quantum ma- 



chines can recognize this language quadratically faster, in time 0(v2 n ), using Grover's 



algorithm [13]. This explains why a substantial modification of the Standard technique was 
required to prové the above theorem. 

The next result about NP fi co— NP relative to a random permutation oracle requires 
a more subtle argument; ideally we would like to apply Theorem ^3] after asserting that 
the total query magnitude with which y4 _1 (l n ) is probed is small. However, this is precisely 
what we are trying to prové in the first place. 

Theorem 3.6 For any T(n) which is o(2 n//3 ) ; relative to a random permutation oracle, with 
probability 1, BQTime(T(n)) does not contain NP fi co— NP. 

Proof. For any permutation oracle A, let Ca = {y '■ first bit of A _1 (y) is 1}. Clearly, 
this language is contained in (NP n co— NP)" 4 . Let T{n) = o(2™/ 3 ). We show that for any 
bounded-error oracle QTM M A running in time at most T(n), with probability 1, M A does 
not accept the language Ca- The probability is taken over the choice of a random permutation 
oracle A. Then, since there are a countable number of QTMs and the intersection of a 
countable number of probability 1 events still has probability 1, we conclude that with 
probability 1, no bounded error oracle QTM accepts Ca in time bounded by T(n). 

Since T{n) = o(2 n//3 ), we can pick n large enough so that T(n) < \-^· We will show that 
the probability that M gives the wrong answer on input 1™ is at least 1/8 for every way of 
fixing the oracle answers on inputs of length not equal to n. The probability is taken over 
the random choices of the permutation oracle for inputs of length n. 

Consider the following method of defining random permutations on {0, 1}™: let 
Xq,Xi, . . . Xt+i be a sequence of strings chosen uniformly at random in {0,1}™. Pick 7r 
uniformly at random among permutations such that it(xq) = l n . Let tïí = iïí-i ■ r, where r 
is the transposition (xí-x,Xí), i.e. 7Tí(xí) = 7Tj_i(xj_i) and ttí(xí-i) = ití-i(xí). Clearly each 
7T, is a random permutation on {0, 1}™. 

Consider a sequence of permutation oracles Ai, such that Ai(y) = Aj(y) if y fi {0, 1}™ 
and Ai(y) = 71* (y) if y G {0, l} n . Denote by the time i superposition of M At <") 



10 



on input 1™, and by ](/)[) the time i superposition of M" 4 ^")- 1 on input l n . By con- 
struction, with probability exactly 1/2, the string l n is a member of exactly one of the 



two languages LA T(n) and La 



T(n)- 



We will show that E[ 



>T(n) 



Here the expectation is taken over the random choice of the oracles 
bound, P{ |0 T(n) ) - |^ (n) ) < 2/25] > 3/4 



) 



V(n)>] < 1/50. 

By Markov's 

Applying Theorem 34 we conclude that if 
T(n)) < 2/25, then the acceptance probability of M At ^ and M^f")- 1 differ 



by at most 8/25 < 1/3, and hence either both machines accept input l n or both reject that 
input. Therefore M At (™) and M" 4 ^™)- 1 give the same answers on input 1™ with probability at 
least 3/4. By construction, the probability that the string l n belongs to exactly one of the 
two languages La t(ti) and L^,, , is equal to Pffirst bit of 2/r(n)-i 7^ fi rs t bit of xto)] = 1/2. 
Therefore, we can conclude that with probability at least 1/4, either M At ^ or M" 4 ^™'- 1 
gives the wrong answer on input l n . Since each of Arpuc\ and Ax( n )-i are chosen from the 
same distribution, we can conclude that M T W gives the wrong answer on input l n with 
probability at least 1/8. 

To bound E[ \4>T{n)) ~ \4>T{n)) \i we show that \4>T{n)) an d \4"T(n)) are eac h c l° se to a certain 
superposition \ipT(n))- To define this superposition, run M on input l n with a different oracle 
on each step: on step i, use Ai to answer the oracle queries. Denote by the time i super- 
position that results. Consider the set of time-string pairs S — {(i,Xj) : j > i, < i < T}. 
It is easily checked that the oracle queries in the computation described above and those of 
M A T(n) anc [ M A T{ n )+ï ^jffer only on the set S. We claim that the expected query magnitude 
of any pair in the set is at most l/2 n , since for j > i, we may think of Xj as having been 
randomly chosen during step j, after the superposition of oracle queries to be performed 
has already been written on the oracle tape. Let a be the sum of the query magnitudes for 
time-string pairs in S. Then 



E[a] < card(5)/2 n 



'T(n) + 1 N 



T{n) 



for T(n) > 4. Let e be a random variable such that at = e 2 /2T(n). Then by Theorem [O 

\<f>) ~ \<h(n)) < £ and \<p) - \<f> T{n) ) 



< e. We showed above that 
T(n) 2 



E[e 2 /T{n)] = E[a] < 



But E[e/JlT{n)Y < E[e 2 /2T(n)}. Therefore 



E[e] = J2T(n)E[e/J2T(n)] < J2T(n)E[e 2 /2T(n)] < \ 2T(n)'^^- < 



< 1/100. 



Therefore E\ 



\<h(n)) } < E[e] < 1/100 and E[ 



2 n ~ V 100 3 

T(n))|] < E l £ ) < V 100 " foUoWS 



that E\ 



\<f>T(n)) - l0T(n)) 1 < 1 / 50 - 
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Finally, it is easy to conclude that M decides membership in Ca with probability for a 
uniformly random permutation oracle A. □ 



Note: In view of Grover's algorithm [plj, we know that the constant "1/2" in the state- 



ment of Theorem |3J| cannot be improved. On the other hand, there is no evidence that 
the constant "1/3" in the statement of Theorem |3.6| is fundamental. It may well be that 
Theorem |3lj| would still hold (albeit not its current proof) with 1/2 substituted for 1/3. 



Corollary 3.7 Relative to a random permutation oracle, with probability 1, there exists a 
quantum one-way permutation. Given the oracle, this permutation can be computed effi- 
ciently even with a classical deterministic machine, yet it requires exponential time to invert 
even on a quantum machine. 

Proof. Given an arbitrary permutation oracle A for which A~ x can be computed in time 
on a quantum Turing machine, it is just as easy to decide Ca as defined in the proof 
of Theorem |3.6| . It follows from that proof that this happens with probability when A is 
a uniformly random permutation oracle. □ 



4 Using a Bounded-Error QTM as a Subroutine 

The notion of a subroutine call or an oracle invocation provides a simple and useful abstrac- 
tion in the context of classical computation. Before making this abstraction in the context of 
quantum computation, there are some subtle considerations that must be thought through. 
For example, if the subroutine computes the function /, we would like to think of an invo- 
cation of the subroutine on the string x as magically writing f(x) in some designated spot 
(actually xoring it to ensure unitarity). In the context of quantum algorithms, this abstrac- 
tion is only vàlid if the subroutine cleans up all traces of its intermediate calculations, and 
leaves just the final answer on the tape. This is because if the subroutine is invoked on a 
superposition of x's, then different vàlues of x would result in different scratch-work on the 
tape, and would prevent these different computational paths from interfering. Since erasing 
is not a unitary operation, the scratch-work cannot, in general, be erased post-facto. In the 
special case where / can be efficiently computed deterministically, it is easy to design the 
subroutine so that it reversibly erases the scratch-work — simply compute f(x), copy f(x) 
into safe storage, and then uncompute f(x) to get rid of the scratch work 0. However, in the 
case that / is computed by a BQP machine, the situation is more complicated. This is be- 
cause only some of the computational paths of the machine lead to the correct answer f(x), 
and therefore if we copy f(x) into safe storage and then uncompute f(x), computational 
paths with different vàlues of f(x) will no longer interfere with each other, and we will not 
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reverse the first phase of the computation. We show, nonetheless, that if we boost the suc- 
cess probability of the BQP machine before copying f(x) into safe storage and uncomputing 
f(x), then most of the weight of the final superposition has a clean tape with only the input 
x and the answer f(x). Since such tidy BQP machines can be safely used as subroutines, 
this allows us to show that BQP BC ^ P = BQP. The result also justifies our definition of 
oracle quantum machines. 



The correctness of the boosting procedure is proved in Theorems [4. 13| and |4.14| . The proof 
follows the same outline as in the classical case, except that we have to be much more careful 
in simple programming constructs such as looping, etc. We therefore borrow the machinery 
developed in @] for this purpose, and present the statements of the relevant lemmas and 
theorems in the first part of this section. The main new contribution in this section is in the 
proofs of Theorems |4.13| and [4.14 The reader may therefore wish to skip directly ahead to 
these proofs. 



4.1 Some Programming Primitives for QTMs 

In this subsection, we present several definitions, lemmas and theorems from J|. 

Recali that a QTM M is defined by a triplet (£, Q, 5) where: S is a finite alphabet with 
an identified blank symbol Q is a finite set of states with an identified initial state Ço an d 
final state qf ^ q^, and 5, the quantum transition function, is a function 

5 : Q x £ -> C s x Q x {L ' R 1 

where C is the set of complex numbers whose real and imaginary parts can be approximated 
to within 2~ n in time polynomial in n. 

Definition 4.1 A final configuration of a QTM is any configuration in state qf. If when 
QTM M is run with input x, at time T the superposition contains only final configurations 
and at any time less than T the superposition contains no final configuration, then M halts 
with running time T on input x. The superposition of M at time T is called the final 
superposition of M run on input x. A polynomial-time QTM is a well-formed QTM which 
on every input x halts in time polynomial in the length of x. 



Definition 4.2 A QTM M is called well-behaved if it halts on all input strings in a final 
superposition where each configuration has the tape head in the same celi. If this celi is 
always the start celi, we call the QTM stationary. 

We will say that a QTM M is in normal form if all transitions from the distinguished 
state qf lead to the distinguished state qo, the symbol in the scanned celi is left unchanged, 
and the head moves right, say. Formally: 
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Definit ion 4.3 A QTM M = (E, Q, 5) is in normal form if 

VaGE 5(q f ,a) = \a)\q }\R} 



Theorem 4.4 If f is a function mapping strings to strings which can be computed in deter- 
ministic polynomial time and such that the length of f(x) depends only on the length of x, 
then there is a polynomial-time, stationary, normal form QTM which given inputx, produces 
output x; f(x), and whose running time depends only on the length of x. 

If f is a one-to-one function from strings to strings that such that both f and f~ x can be 
computed in deterministic polynomial time, and such that the length of f(x) depends only on 
the length of x, then there is a polynomial-time, stationary, normal form QTM which given 
input x, produces output f{x), and whose running time depends only on the length of x. 

Definition 4.5 A multi-track Turing machine with k tracks is a Turing machine whose 
alphabet E is of the form E x x E 2 x • • • x E fc with a special blank symbol # in each Ej so that 
the blank in E is ...,#). We specify the input by specifying the string on each "track" 
(separated by ';'), and optionally by specifying the alignment of the contents of the tracks. 

Lemma 4.6 Given any QTM M = (E, Q, 5) and any set E' ; there is a QTM 
M' = (E x E', Q, 5') such that M' behaves exactly as M while leaving its second track 
unchanged. 

Lemma 4.7 Given any QTM M = (Ei x • • • x E fe , Q, 5) and permutation n : [1, k] — > [1, k], 

there is a QTM M' = (S 7r (i) x • ■ • x E 7r (fc), Q, 5 f ) such that the M' behaves exactly as M except 
that its tracks are permuted according to ir. 

Lemma 4.8 If Mi and M 2 are well-behaved, normal form QTMs with the same alphabet, 
then there is a normal form QTM M which carries out the computation of M\ followed by 
the computation of M 2 . 

Lemma 4.9 Suppose that M is a well-behaved, normal form QTM. Then there is a normal 
form QTM M' such that on input x; k with k > 0, the machine M' runs M for k iterations 
on its first track. 
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Definition 4.10 If QTMs M\ and M 2 have the same alphabet, then we say that M 2 reverses 
the computation of M\ if the following holds: for any input x on which M\ halts, let c x and 
(j) x be the initial configuration and final superposition of M\ on input x. Then M 2 on input 
the superposition <f) x , halts with final superposition consisting entirely of configuration c x . 
Note that for M 2 to reverse M 1; the final state of M 2 must be equal to the initial state of M 1 
and vice versa. 

Lemma 4.11 If M is a normal form QTM which halts on all inputs, then there is a normal 
form QTM M' that reverses the computation of M with slowdown by a factor of 5. 

Finally, recali the definition of the class BQP. 

Definition 4.12 Let M be a stationary, normal form, multi-track QTM M whose last track 
has alphabet 0, 1}. We say that M accepts x if it halts with a 1 in the last track of the 
start celi. Otherwise we say that M rejects x. 

A QTM accepts the language C Ç (E — #)* with probability p if M accepts with prob- 
ability at least p every string x G C and rejects with probability at least p every string 
i£(E- #)* — C We define the class BQP (bounded-error quantum polynomial time) as 
the set of languages which are accepted with probability 2/3 by some polynomial-time QTM. 
More generally, we define the class BQTime(T(n)) as the set of languages which are accepted 
with probability 2/3 by some QTM whose running time on any input of length n is bounded 
by T{n). 

4.2 Boosting and Subroutine Calls 

Theorem 4.13 // QTM M accepts language C with probability 2/3 in time T{n) > n, with 
T{n) time-constructible, then for any e > 0, there is a QTM M' which accepts C with 
probability 1 — e in time cT{n) where c is polynomial in logl/e but independent of n. 

Proof. Let M be a stationary QTM which accepts the language C in time T(n). 

We will build a machine that runs k independent copies of M and then takes the 
majority vote of the k answers. On any input x, M will have some final superposition 
of strings J2i a i\ x i)- If we ca U A the set of i for which Xi has the correct answer M(x) 
then J2íça \ a i\ 2 ^ 2/3. Now running M on separate copies of its input k times will produce 
a h ' ' ' a i k \ x h) ' ' ' \ x ik)- Then the probability of seeing Ix^) ■ ■ ■ \xi k ) such that the 
majority have the correct answer M(x) is the sum of («ij 2 • • • \cïi k \ 2 such that the majority 
of ii, ... ,ik lie in A. But this is just like taking the majority of k independent coin flips each 
with probability at least 2/3 of heads. Therefore there is some constant b such that when 
k = òlog 1/e, the probability of seeing the correct answer will be at least 1 — e. 

So, we will build a machine to carry out the following steps. 



15 



1. Compute n = T(\x\). 

2. Write out k copies of the input x spaced out with 2n blank celis in between, and write 
down k and n on other tracks. 

3. Loop k times on a machine that runs M and then steps n times to the right. 

4. Calculate the majority of the k answers and write it back in the start celi. 



We construct the desired QTM by building a QTM for each of these four steps and then 
dovetailing them together. 

Since Steps 1, 2, and 4 require easily computable functions whose output length depend 
only on k and the length of x, we can carry them out using well-behaved, normal form 



QTMs, constructed using Theorem [4.4| , whose running times also depend only on k and the 
length of x. 

So, we complete the proof by constructing a QTM to run the given machine k times. 
First, using Theorem Ojwe can construct a stationary, normal form QTM which drags the 



integers k and n one square to the right on its work track. If we add a single step right 



to the end of this QTM and apply Lemma [O, we can build a well-behaved, normal form 



QTM moves which n squares to the right, dragging k and n along with it. Dovetailing this 



machine after M, and then applying Lemma [ïj| gives a normal form QTM that runs M on 



each of the k copies of the input. Finally, we can dovetail with a machine to return with k 
and n to the start celi by using Lemma [4.9| two more times around a QTM which carries k 
and n one step to the left. □ 



The extra information on the output tape of a QTM can be erased by copying the desired 
output to another track, and then running the reverse of the QTM. If the output is the same 
in every configuration in the final superposition, then this reversal will exactly recover the 
input. Unfortunately, if the output differs in different configurations, then saving the output 
will prevent these configurations from interfering when the machine is reversed, and the 
input will not be recovered. We show is the same in most of the final superposition, then 
the reversal must lead us close to the input. 

Theorem 4.14 If the language £ is contained in the class BQTime(T(n)), with T(n) > n 
and T(n) time-constructible, then for any e > 0, there is a QTM M' which accepts £ with 
probability 1 — e and has the following property. When run on input x of length n, M' 
runs for time bounded by cT(n), where c is a polynomial in logl/e, and produces a final 
superposition in which \x)\C(x)), with C(x) = 1 if x G £ and otherwise, has squared 
magnitude at least 1 — e. 

Proof. Let M = (£, Q, 5) be a stationary, normal form QTM which accepts language £ in 
time bounded by T(n). 
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According to Theorem |4.13| , at the expense of a slowdown by factor which is polynomial 
in log í/e but independent of n, we can assume that M accepts £ with probability 1 — e/2 
on every input. 

Then we can construct the desired M' by running M, copying the answer to another 
track, and then running the reverse of M. The copy is easily accomplished with a simple 
two-step machine that steps left and back right while writing the answer on a clean track. 
Using Lemma |4.11 , we can construct a normal form QTM M R which reverses M. Finally, 
with appropriate use of Lemmas |4.6| and [4.7| , we can construct the desired stationary QTM 
M' by dovetailing machines M and M R around the copying machine. 

To see that this M' has the desired properties, consider running M' on input x of length n. 
M' will first run M on x producing some final superposition of configurat ions J2 y a y\y) °f M 
on input x. Then it will write a or 1 in the extra track of the start celi of each configura- 
tion, and run M R on this superposition \<p) = J2 y a y\y)\b y )- K we were to instead run M R on 
the superposition \<f>') = J2 y a y\y)\M(x)) we would after T(n) steps have the superposition 
consisting entirely of the final configuration with output x; M(x). Clearly, {4>\4>') is real, and 
since M has success probability at least 1 — e/2, {4>\4>') > Vl — £• Therefore, since the time 
evolution of M R is unitary and hence preserves the inner product, the final superposition of 
M 1 must have an inner product with |x)|M(x)) which is real and at least 1 — e/2. There- 
fore, the squared magnitude in the final superposition of M' of the final configuration with 
output x; M(x) must be at least (1 — e/2) 2 > 1 — e. □ 



Corollary 4.15 BQP BQP = BQP. 



Acknowledgement 

We wish to thank Bob Solovay for several useful discussions. 



References 

[1] Babai, L. and Moran, S., "Arthur - Merlin games: A randomized proof system, and a 
hierarchy of complexity classes", Journal of Computer and System Sciences, vol. 36, 
1988, pp. 254-276. 

[2] Bennett, C. H., "Logical reversibility of computation" , IBM Journal of Research and 
Development, vol. 17, 1973, pp. 525-532. 

[3] Bennett, C. H. and Gili, J., "Relative to a random oracle A, P A ^ NP A ^ co-NP A 
with probability 1", SIAM Journal on Computing, vol. 10, 1981, pp. 96-113. 



17 



Bernstein, E. and Vazirani, U., "Quantum complexity theory", Proceedíngs of the 25th 
Annual ACM Symposium on Theory of Computing, 1993, pp. 11-20. 

Berthiaume, A. and Brassard, G., "The quantum challenge to structural complexity 
theory", Proceedíngs of 7th IEEE Conference on Structure in Complexity Theory, 1992, 
pp. 132-137. 

Berthiaume, A. and Brassard, G., "Oracle quantum computing", Journal of Modern 
Òptics, vol. 41, no. 12, December 1994, pp. 2521-2535. 

Boyer, M., Brassard, G., H0yer, P. and Tapp, A., "Tight bounds on quantum searching", 
Proceedíngs of the Fourth Workshop on Physics and Computation, Boston, Novem- 
ber 1996, New England Complex Systems Institute, pp. 36-43. Available online in the 



Inter Journal at |http : // inter j ournal . org 



Bshouty, N. and Jackson, J., "Learning DNF over uniform distribution using a quan- 
tum example oracle", Proceedíngs of 8th Annual ACM Conference on Computational 
Learning Theory, 1995, pp. 118-127. 

Deutsch, D., "Quantum theory, the Church-Turing principle and the universal quantum 
computer", Proceedíngs of the Royal Society, London, vol. A400, 1985, pp. 97-117. 

Deutsch, D., "Quantum computational networks", Proceedíngs of the Royal Society, 
London, vol. A425, 1989, pp. 73-90. 

Deutsch, D. and Jozsa, R., "Ràpid solution of problems by quantum computation", 
Proceedíngs of the Royal Society, London, vol. A439, 1992, pp. 553-558. 

Feynman, R., "Simulating physics with computers" , International Journal of Theoretícal 
Physics, vol. 21, nos. 6/7, 1982, pp. 467-488. 

Grover, L., "A fast quantum mechanical algorithm for database search", Proceedíngs of 
the 28th Annual ACM Symposium on Theory of Computing, 1996, pp. 212-219. 

Machta, J., "Phase information in quantum oracle computing", Physics Department, 
University of Massachusetts at Amherst, manuscript, May 1996. 

Shor, P. W., "Algorithms for quantum computation: Discrete logarithms and factoring", 
Proceedíngs of the 35th Annual IEEE Symposium on Foundatíons of Computer Science, 
1994, pp. 124-134. 

Simón, D., "On the power of quantum computation", Proceedíngs of the 35th Annual 
IEEE Symposium on Foundations of Computer Science, 1994, pp. 116-123. 

Yao, A., "Quantum circuit complexity", Proceedings of the 3J^th Annual IEEE Sympo- 
sium on Foundations of Computer Science, 1993, pp. 352-361. 



18 



